1. Home
  2. OpenKM 7.1
  3. Administration guide
  4. Configuration parameters
  5. LDAP configuration parameters
  1.  

OpenKM 7.1
Hardware and software requirements
Installation
Setup
Troubleshooting
Administration guide
Configuration parameters
Recommended configuration parameters
Preview parameters
LDAP configuration parameters
User interface configuration parameters
Workflow configuration parameters
Notification configuration parameters
Document version numeration configuration
Password validation configuration
Switch application to read-only mode
Security configuration parameters
Extensions configuration parameters
Performance configuration parameters
OpenOffice LibreOffice configuration parameters
WebDAV configuration parameters
CSV configuration parameters
Antivirus configuration parameters
Other configuration parameters
Experimental configuration parameters
AutoCAD configuration parameters
Thesaurus configuration
FTP configuration parameters
Two factor authentication configuration parameters
Multi-tenant configuration parameters
File plan
MIME types
Statistics
Metadata
Manage users and roles
Profiles
Relation types
CSS
Reports
Activity log
Automation
Stamp
Crontab
OCR templates
Languages
Utilities
User guide
Migration guide
Development

LDAP configuration parameters

The OpenKM LDAP integration is based on several LDAP searches to retrieve data.

LDAP queries are composed of three elements:

  1. Attribute or object to retrieve.
  2. Node base to scope the request.
  3. Filtering options.

Sample query

The query to retrieve mail attribute from an object of type person with sAMAccountName attribute value with {0} - this parameter indicates the userId - from node cn=users,dc=company,dc=local and descendants.

principal.ldap.mail.attribute

mail
principal.ldap.mail.search.base

cn=users,dc=company,dc=local
principal.ldap.mail.search.filter

(&(objectclass=person)(sAMAccountName={0}))

LDAP queries

  • principal.ldap.user.* is used to retrieve the user list.
  • principal.ldap.username.* are used to retrieve the user name.
  • principal.ldap.mail.* are used to retrieve user mail addresses.
  • principal.ldap.role.* are used to retrieve the role list.
  • principal.ldap.roles.by.user.* are used to retrieve a user's roles.
  • principal.ldap.users.by.role.* are used to retrieve users of a role.

For retrieving, data are injected arguments into option filters. For example, for getting the user mail, the application use parameter {0} to set argument value - userId - into filtering options.

Queries that use parameters to filtering:

  • principal.ldap.mail.search.filter=(sAMAccountName={0}). Where {0} is the attribute value retrieved from the principal.ldap.user.attribute.
  • principal.ldap.roles.by.user.search.filter=(&(objectclass=user)(sAMAccountName={0})). Where {0} is the attribute value retrieved from the principal.ldap.user.attribute.
  • principal.ldap.username.search.filter=(sAMAccountName={0}). Where {0} is the attribute value retrieved from the principal.ldap.user.attribute.
  • principal.ldap.users.by.role.search.filter=(&(objectClass=group)(cn={0})). Where {0} is the attribute value retrieved from the principal.ldap.role.attribute.

Parameters

Field / PropertyTypeDescription
principal.adapter String Class used to connect with LDAP.
system.login.lowercase String By default is empty. In case connecting to AD ( Microsoft Active Directory ) must be set to "true," that force all users to be logged in with a lowercase user Id. The reason is OpenKM is case-sensitive, and Microsoft Active Directory is not.
principal.ldap.server String LDAP server.
principal.ldap.security.principal String LDAP user distinguished name ( dn ).
principal.ldap.security.credentials String LDAP user password.
principal.ldap.referral String

This property specifies how OpenKM handles the referrals sent by AD in the search results. In almost most cases, this value is empty.

Note for Active Directory (AD) users: AD servers cannot handle referrals automatically, which causes a PartialResultException to be thrown whenever a referral is encountered in a search. To avoid this, set the ignorePartialResultException property to true. There is currently no way of manually handling these referrals in the form of ReferralException, i.e. either you get the exception (and your results are lost), or all referrals are ignored (if the server is unable to handle them properly. There is no simple way to get notified that a PartialResultException has been ignored (other than in the log).

More information at Spring LdapTemplate.

Values might be:

"ignore"

If principal.ldap.referral=ignore, the following exception will be thrown when a referral is encountered:

javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'dc=company,dc=com'

 "follow"

If principal.ldap.referral=follow, OpenKM will automatically follow the referral. To be successful, make sure OpenKM can access the referred server. The errors about ReferralExceptions should not be shown.

"throw"

If principal.ldap.referral=throw, the following exception will be thrown:

com.sun.jndi.ldap.LdapReferralException: Continuation Reference; remaining name 'dc=company,dc=com'

More information at Referrals in the JNDI.
principal.ldap.users.from.roles    Boolean When "true" tries to retrieve all users from the roles list.
principal.ldap.user.attribute String

User attribute.

principal.ldap.user.search.base

 List List of nodes base.

principal.ldap.user.search.filter

 String Filter options.

principal.ldap.username.attribute

 String Username attribute

principal.ldap.username.search.base

 String Node base.

principal.ldap.username.search.filter

 String Filter options.
principal.ldap.mail.attribute String

Mail attribute.
principal.ldap.mail.search.base String

Node base.
principal.ldap.mail.search.filter String Filter options.

principal.ldap.role.attribute

 String Role attribute.

principal.ldap.role.search.base

 List List of nodes base.

principal.ldap.role.search.filter

 String Filter options.

principal.ldap.roles.by.user.attribute

 String User attribute.

principal.ldap.roles.by.user.search.base

 String Node Base.

principal.ldap.roles.by.user.search.filter

 String Filter options.

principal.ldap.users.by.role.attribute

 String Role attribute.

principal.ldap.users.by.role.search.base

 String Node base.

principal.ldap.users.by.role.search.filter

 String Filter options.

Sample configuration

Field / PropertyTypeDescription
principal.adapter String

com.openkm.plugin.principal.LdapPrincipalAdapter
system.login.lowercase String

true
principal.ldap.server String

ldap://192.168.1.20:389
principal.ldap.security.principal String

CN=Administrator,OU=OpenKM,DC=company,DC=com
principal.ldap.security.credentials String

password
principal.ldap.referral String

 
principal.ldap.users.from.roles    Boolean

false
principal.ldap.user.attribute String

sAMAccountName

principal.ldap.user.search.base

 List

DC=company,DC=com

principal.ldap.user.search.filter

 String

objectclass=person

principal.ldap.username.attribute

 String

cn

principal.ldap.username.search.base

 String

DC=company,DC=com

principal.ldap.username.search.filter

 String

(sAMAccountName={0}
principal.ldap.mail.attribute String

mail
principal.ldap.mail.search.base String

DC=company,DC=com
principal.ldap.mail.search.filter String

(sAMAccountName={0}

principal.ldap.role.attribute

 String

cn

principal.ldap.role.search.base

 List

DC=company,DC=com

principal.ldap.role.search.filter

 String

objectclass=group

principal.ldap.roles.by.user.attribute

 String

memberOf

principal.ldap.roles.by.user.search.base

 String

DC=company,DC=com

principal.ldap.roles.by.user.search.filter

 String

(&(objectclass=person)(sAMAccountName={0}))

principal.ldap.users.by.role.attribute

 String

member

principal.ldap.users.by.role.search.base

 String

DC=company,DC=com

principal.ldap.users.by.role.search.filter

 String

(&(objectClass=group)(cn={0}))

 

© OpenKM kcenter v.1.0.0 (build: d51a7b0). All Rights Reserved. Documentation license